Customer Security with CEO of Nametag, Aaron Painter
Steve interviews Aaron Painter of Nametag
FEATURING: Aaron Painter, CEO of Nametag
In this episode, I speak with Aaron Painter, CEO of Nametag.
Aaron shares his professional journey leading to Nametag, the world's first human identity platform. He gives his perspective on fraud attacks and security threats impacting common contact center use cases and consumer experiences. You'll also learn about Nametag's new AI-powered copilot for instant & secure identity verification.
Connecting with Aaron Painter
Contact form: https://www.getnametag.com/request
Companies & Resources Discussed
LOYAL: A Leader's Guide to Winning Customer and Employee Loyalty: https://www.amazon.com/LOYAL-Leaders-Winning-Customer-Employee/dp/161961751X
FULL EPISODE TRANSCRIPT
Welcome to the PEAK IDV EXECUTIVE SERIES video podcast, where I speak with executives, leaders, founders, and change makers in the digital identity space. I'm your host, Steve Craig, Founder and Chief Enablement Officer at PEAK IDV. For the audience, if you're listening to this, this is actually a video first series. So if you're enjoying the audio, please check out the full recording at executiveseries.peakidv.com where you can watch the full episode, there'll also be a transcript, any of the resources or links discussed today. You'll be able to access those directly in that site. I'm really excited to introduce today's guest.
He is Aaron Painter, Chief Executive Officer at Nametag. Nametag is an innovative digital identity startup with a mission to bring authenticity to the internet. I've been following Nametag’s progress in the market and I'm really impressed with their trajectory. But prior to his tenure at Nametag, Aaron was CEO of London-based Cloudreach, a Blackstone portfolio company, and the world's leading independent multi-cloud solution provider.
Aaron spent nearly 14 years at Microsoft where he held various executive leadership roles. With appointments in Beijing, Hong Kong, Paris, and São Paulo, Brazil. Aaron is a prolific public speaker and the author of LOYAL: A Leader's Guide to Winning Customer and Employee Loyalty.
Welcome, Aaron. Thanks so much for being on the podcast.
Steve, I'm a big fan of your work. It was an honor to be here.
Oh, thank you. I appreciate that. Well, let’s jump right in. I was looking at your LinkedIn profile and your company profile, and I see the tagline for Nametag is “ID anyone in 30 seconds.” What's your 30 second elevator pitch for Nametag, if we can play on that?
We are the world's fastest human identity platform.
We've been built with unique capabilities to prevent against AI generated deepfakes and content. Fundamentally, we believe that proof auth security is identity, and it's critical to protecting digital accounts in, in sort of the modern era.
Steve Craig: That's great. I like tag “human identity platform” really focusing and getting the energy to us as individuals transacting on the internet.
Where are you seeing most of the use cases for Nametag’s technology? Like what type of customers are you focusing on?
Aaron Painter: Yeah. Today, the world of protecting things online seems to revolve around companies rolling out multifactor authentication or two factor or some form of authenticator app or, you know, the old world and maybe a less secure way, things like SMS.
But what we've learned from our customers and partners is that strong authentication can happen with multifactor authentication, but that there's weakness and vulnerability at the point of enrollment and at the point of recovery. Sort of this question of how do you know who's behind the screen at the moment when you're setting up something like an authenticator app?
Or how do you respond when someone might call a help desk and claim to be the owner of the person of an account where they are actually locked out? How do you then verify who is the person behind that screen? And so we found this really unique niche is a very, very large area, large sort of addressable market where people are starting to use MFA and companies are encountering an enormous volume of lockout support tickets.
And those support tickets typically are very expensive, they're cumbersome, they're, they're hard to resolve. And there's a lot in the line because if you get it wrong, suddenly the potentially a bad actor can have access to someone's valuable digital account. And so we've really zoomed in and applying identity as this concept of the sort of perimeter into an account or into a network at that moment, again, of enrollment or at the moment of recovery.
Yeah. Yeah. I mean, it's really key. I've got a personal anecdote myself with a multifactor, I have the authenticator app and every couple of years I'll change device and if I don't forget to export those. And then I just delete the, you know, nuke the device and I get the new one and I'm like, Oh, I need my authenticator app.
How do you even log in to recover that credential? It's actually really frustrating to be able to do that.
Unfortunately, that's become a moment of vulnerability too. And many, many companies have been suffering this, particularly on their own internal networks at these places of the help desk. How do you know who the person can reach you not from the company claiming to be a help desk employee is, or how does the help desk person know if you're the person or someone claiming to be the person who's locked out?
Because you've done all this great work, you've set up authenticator apps, maybe you've given the employee a YubiKey even and all it takes is for someone to call and say, Oh, yep, that's me and I lost my YubiKey. And suddenly all of your efforts of secure authentication are kind of out the window because you don't have a way to securely recover that account and confirm their identity.
And that's what we sort of discovered has become a massive weakness in today's digital security landscape.
Steve Craig: For that account recovery contact center use case, was that an area that you pursued or was it more serendipitous? Like, how did you end up with a focus in that particular use case?
Aaron Painter: We went a little, it's a great question.
We went a little bit in a circle because for me, starting Nametag, it was very personal. I had a bunch of friends and family at the start of the pandemic who had their identities stolen. And I started to be a good friend, I'm going to be a good son, like, let's figure this out. We'll jump on the phone together.
We'll reach out to these companies and get things sorted. And unfortunately, everyone we called basically had no way to verify who we really were. And it turned out that's what had happened. Someone else had called, pretended to be them, that poor, hardworking support rep, no way to verify who the real person was, and they let a bad actor into the account.
And then there we were calling is sort of the rightful account owner. And they didn't know how to verify and sort of do their job and the level of integrity and sort of thoroughness that they wanted to. You know, all too often today, we still, even in this era, rely on things like security questions. Or knowledge-based answers, pulling through a credit bureau, or when did you open an account?
And that data, as we all know, sadly, particularly in the US, I mean, almost everyone's identity has been leaked or revealed online in some form or answers to those questions. In some cases, many times over. That's just not an efficient or secure method anymore. And so we set out to solve this problem. How do we, how do we know who's behind the screen?
Although we initially said this really applies to communities. That when you want to build a safe online community, I would argue you have a responsibility as a platform to know who that person is behind the screen. In order to help you still want to operate by an alias or a pseudonym, that's fine. But by the platform knowing who you are, they can help ensure that things are safe.
My analogy is sort of when you go into a, you might go to an event and you register the front desk and they ask for your ID, maybe your business cards or know what company you might come from. Coincidentally, they often give you a Nametag to wear in that event, but you're sort of in a bubble then.
Everyone knows that that person is sort of verified and therefore you can, you have some sense of trust and you can build relationships, you can get to know each other and build new professional and personal contacts. But when you go to the average dating site today, they're using email addresses or some form of social login, or you go to, you know, meet someone at a marketplace that you've met, do meet up in person to exchange goods, they're known by an email address.
And all too often our digital identities are simply aliases or things like an email address that unfortunately anybody can spin up a new email address and be aaronpainter23@gmail instead of aaronpainter22, and you don't really know who that person is, which creates trust and safety issues as well as.
There's somehow bad actions on a platform and you want to remove that person, just come back with a new email address. You're not really keeping things safe. So we set out to build this concept of linking government identity to an auth flow, or authentication flow, so that you can log in with a sense of comfort in knowing who the person is.
But it was in doing that that we realized one of the biggest challenges in auth wasn't auth itself. It was this element of enrollment and recovery.
Steve Craig: I really like that analogy that you put, put forward. Going to an in-person event, got name tags. Trust is so central to human relationships, whether it's person to person. Or a person to a business. And if you can just change your name tag right there in the event, then it's, yeah, there's not a lot of trust to that.
But you mentioned, the authentication flow and that process of it. There are a lot of companies in the space that have different solutions and authentication.
Some combined the identity verification up front. What would you say makes Nametag unique? Like what are some of the differentiators your company has in the market?
Yeah, at the principal level, we believe heavily in relying on someone's government issued ID, which unfortunately doesn't solve 100 percent of the world.
But for the most part, governments have gotten pretty good at knowing physically in person sort of who their citizens are and helping issue some form of government issued ID. There's great potential in decentralized identity and, and blockchain based credentials and things like that maybe down the road.
The first we tried to start with something that we felt was universal, and that is a person's government issued ID and often a photo of themselves. That flow is intentionally, similar to, what you might have gone through if you go through a, you know, KYC or a Know Your Customer flow in financial services, and you open an account.
The challenge that I was with the CEO of one of the KYC providers a few days ago, and they introduced their company as, you know, we focus on solving regulatory concern, but knowing who your customer is and regulatory use cases. Most of, if not all, of the sort of ID verification providers that have you scan your ID and take a selfie were built to solve regulatory problems. They were built for a plausible “check the box.” Yes, this person is who they claim to be, and we can go ahead and open the account. You'll notice, however, when you call your bank, they don't then ask you for your ID when you want to transact, or you want to make an account change.
They ask you security questions. And it's often because the fidelity of that KYC flow is simply not high enough. It also is because the friction of reusing that KYC flow or asking the user to again scan their ID, it's just simply too high.
And so we are focused on security. We are an identity provider that's focused on security and at the architectural layer we have built things fundamentally differently because we had a different use case in mind.
Steve Craig: That's great, Aaron. When I look at the recent press from Nametag, I saw that you announced a new product or a new feature, Nametag's AI powered co-pilot. Can you talk a little bit about that and how it relates to the differentiator you just mentioned and what your investment is in AI in general?
Yeah, I mean, AI for us happens at many, many layers of the product and the experience. At the same time, we're trying to essentially give people tools using AI as a tool for good to counter this rise in people using AI as a tool for bad and then trying to be an impersonator. The launch of our recent co-pilot, for me, goes back to that personal problem.
You know, very, very real when I was trying to call a customer support team and they didn't have the necessary tools to verify who I was. It's a fascinating industry because you have millions of customer support reps serving customers, serving internal employees, maybe as customers at an IT help desk.
And often I think you get into that profession because you like people, you want to help, you want to be helpful and solve problems. And instead we've turned these folks into identity detectives, right? They begin a customer support interaction, not by saying, how can I help? Who are you? And then they're often given a series of questions to interrogate the poor person to try and figure out if they are who they claim to be.
We've learned through a lot of user testing that is an incredibly frustrating experience for people on both sides, you know, for certain demographics, folks later in life, in particular. “What street did you live on in 1970 X?” I don't know. It's a high tension moment. It's frustrating. And by the way, the answers to those things are too easily revealed online.
And so we wanted to give tools to these customer support reps, the millions of people who every day are going and verifying the identity of callers. And it's staggering how often this happens. You know, Gartner estimates that up to 50% of calls to an IT help desk, for example, require some form of visual verification, which companies that are more progressive in the security realm have said, hey, security questions will no longer do it.
I'll tell you, certainly if you use the out-of-the-box Active Directory or Okta password or MFA reset flow, basically an SMS message. Or an email to a personal email account. Those are not secure methods. So they've said, “Hey, let's jump on a zoom call.” Let's schedule a video-based call. And Oh my goodness.
Should the cost skyrocket when they do that? Not only is it frustrating for the end-user and say the employee who might now have many hours before they can even get back to work, you have to schedule a call to help this person does some pre-work they get on the call. They're looking into the badge photo.
They're trying to add things. They might have you hold up your ID and that, that interaction. Simply to say, is this person the one that we think is the rightful account owner? Let's get them back in. So our copilot solution was built in response to that. It is an out-of-the-box, literally zero setup and zero configuration required, where you can go in and go to a browser based environment as a support rep, authenticate yourself in as a member of that company, and you can begin sending requests to anyone.
Anyone who calls and claims to be an employee or to be a customer and that they're locked out, you can send them a Nametag request. And in an average of less than 30 seconds, a user can go through the first time, scan the government ID, take a selfie, verify who they are. The rep can see that process in real time.
They can get what we call a proof of verification, but a very high fidelity view of the process that went through to give them confidence in the outcome, all the while being incredibly privacy preserving. And so we have built privacy is a really fundamental component in the product on both sides for the end user and the amount of information they need to share and the amount of information a company might need to store or that a rep might need to be exposed to and giving that sort of assurance.
So co-pilot is our out-of-the-box solution for that. And it's sort of a stepping stone many companies see as a very fast deployment. to ideally automated customer support where the rep or the employee or the end user, let's say, can maybe go through a name tag flow themselves and automatically trigger, let's say, an MFA reset, get back into their account with ever needing to engage with a support rep to begin with.
As you describe the co-pilot and the use case in supporting the support rep to be able to complete their task, I think about my personal career. I used to work in a call center when I was doing my undergrad. And there's a lot of pressure in those environments. You have abandonment rates, you have call time, you have customer service questionnaires that come out at the end.
And if you're a rep in that environment and you're trying to support someone in an account lockout, all of those things weigh on your mind. So sometimes there's an incentive to just say yes. And I think the fraudsters know that they kind of lean into that. They get aggressive, they get angry and then they push through and they succeed.
So having that co-pilot to really help put the process back in the hands of the caller to be able to complete the identity check and not lean so much on the rep. I think that's, that's pretty great. Pretty great
Thanks. One of the most shocking areas where the need is particularly great is in the telcos. You know, these telcos today, so much relies on that phone number of yours. And they have an issue a little bit on enrollment on who's getting the phone number, particularly in the US. But when you call and simply say, “Hey, I got a new phone or I'm switching to eSIM or I upgraded my phone, can you, or I lost my phone, can you move my phone number over?”
That poor rep has very little to go on to make that judgment call on whether or not to transfer the account over. And all too often that becomes a massive, inexpensive fraud vector. Because typically the first thing you do after you get a hold of that as a bad actor is go drain a coin basically. Right.
You've taken over SMS verification for someone, and you therefore have access to hundreds of other services that still rely on SMS, as a form of authentication. So the telcos oddly are on the front lines of this. They're one of the most exposed and unfortunately, some of the most high impact downstream challenges that it creates for the entire industry.
You mentioned the security questions, the knowledge based authentication, SMS, and SMS as a second factor has also got all of these risks and hitting right at the telco, you get that eSIM swap or you get that takeover and it's devastating. And then how do you, as a consumer recover from that big challenge?
And I've seen over the last few years, it accelerate, as processors share information about how to do these schemes and they find the telco that might be lacking in security protocols.
One of the things you just mentioned, though, I was thinking about data privacy. Okay, you're, you're doing this process with the co-pilot.
The last few years, there's been a lot of new data privacy regulation. In fact, just this week when we recorded this, the state of Oregon signed in their consumer data protection laws. We're seeing that increase. And we're also seeing this uptick in age restricted content, rightfully so, we need to protect underage people from getting access to adult content.
What comes with that is now you have to request more information and you have to do more identity proofing.
What is your approach to privacy preserving yet regulation supporting age verification technology, like how do you handle that in your company?
Aaron Painter: Yeah, let's start with, I don't think that's a problem that's been particularly well solved in the physical world.
So we rely on this concept that, you know, government has issued an ID, you brought a bunch of documents, someone's, a human has looked at you, they've taken a new photo of you, they've issued you some sort of identity document for that company. We rely on that as relatively a, you know, what ISO would call a supervised enrollment flow.
Relatively generally that works. On the privacy side, however, it has a lot of weaknesses. My classic example would be, let's say, when you go to a bar in the US, let's say you need to be over 21. And there's someone at the door whose job is to make sure that you are over 21. But you show them this identity credential that has your name, your home address, a whole bunch of other things that they might not necessarily need to know.
If they only need to know you're over 21, they probably don't need to know your home address. Right? And sometimes the people there, you're handing that ID to, you're not necessarily comfortable sharing all that. We call that oversharing. And our solution to that is something we call a privacy mask. Which is that just because you have scanned your government ID, let's say in the Nametag flow during enrollment, it doesn't mean that you're giving all of that information over to the company.
You become a data controller in our mind, in sort of a GDPR language, of your own personal data. And so the company then, when they are requesting information from you for any given transaction, they also don't need everything on your ID. They can request what we call scopes, or specific bits of information to say, I just need to know, is this a human and are they over 21?
For example, or what age are they, or maybe their birthday, or a variety of other factors. But they get to choose, and they get to choose for how long they want the information for even. But the end user then gets to review that request, and they're specifically opting in to share that information, that specific entity, for that period of time.
And in our model, they even have the ability to go back and revoke that information, take it back from that company, maybe take all their information back from Nametag, should they so choose. So in the end user side, we're really trying to make privacy a fundamental part of that identity journey. On the company side, same thing goes.
You know, you might not want, let's say, that support rep to be able to have access to all the information that was requested. So you can gauge that. But more importantly, you also might not want to store this new PII that you've collected. And so we make it such that the company doesn't have to store any of the information they collect.
They can simply have maybe a tracking URL back to sort of a guarantor file that we maintain for the company to confirm that, hey, this identity was verified. So in practical terms, you might be a support rep back to your early day experience, and you might send the Nametag request, and you might get the answer you need.
Maybe then you copy a tracking link. And paste that into the CRM file and say, I did my role, I confirmed who they were, here is the proof of it. But there's no PII being exchanged, there's no new PII being added to a CRM system, simply that verification. And so we believe this element of privacy is so fundamental in doing identity the right way.
And in a way that not only meets current laws, but that is progressive and sort of the spirit of a lot of these laws are going.
And age verification specifically, it's a fascinating use case because. Some of the things that, and I come back to an in-person example, when you go to, let's say, a convenience store and you want to buy an age restricted product, they have a sign on the wall that says, if you look under 30 or you look under 35, we ask for ID.
So we have a flavor of that, which is very similar, which we can take an anonymized selfie photo that you might share, run that and say, hey, do you look under 30 or under 35 or in some range? Great. If not, no problem. You're good to go. If so, “hey, you know what, let's actually ask you for ID” and let's then be able to confirm back to that company that your ID and your age has been checked again without overly disclosing information that's unnecessary in the flow.
One of the really, really magical things, though, of what we built is we call re-verification or an express re-verification experience for an end user. So once they have used Nametag once with any company, they have, if this come back on the same device and express re-verification flow. We don't just look up their account, but we ask them to take a selfie and then re-rematch that selfie biometrically to the earlier selfie back to the government issued ID and the government issued ID photo.
So we can offer the end user an express re-verification flow with very high confidence back to the company that they are still the person they claim to be but without that user having to re scan their ID. So that's what opens the use case to so many other things, including sign in. Most importantly, in this case, let's say age verification, when you might be into a world soon where you need to be age verifying many different web properties with high frequency, we can make that experience in two or three seconds.
And in that process, is the end consumer actively setting up an account with Nametag? Is it like an identity wallet then at that point? Or is it just something that you're storing in the background and it just is seamless to them.
I kind of think of it like Square. Did you ever use the cash register as a Square?
You know, and you tap your card, you put in a card to buy a coffee, maybe a coffee shop. One time they might say, hey, do you want a receipt? And you put in your email address to get a receipt. And then the next time you come and you swipe your card, you just get emailed a receipt. We view the Nametag concept working very similarly.
So that first time that you're asked, “Hey, do you want a receipt?” Or this first time you're asked for your ID, we take you through a flow that's in quite quick. But that second time around, you have a more convenient experience. And so we're creating essentially a one human gets one Nametag, which is great for security and privacy and a whole bunch of recoverability perspectives.
We're creating an account for you sort of in the cloud, so to speak. We're very thoughtful about where data processing happens and where data is stored. It allows us to solve one of these fundamental problems, which is what happens when I lose my device or I get a new device? How do I sort of recover my identity?
And again, some of our sort of patented technology kicks in there. We can rematch. You to the early information you shared to sort of re-trust that new device to enable you to have that express experience moving forward.
That's great. Thanks for sharing how that works. I hadn't thought about that process.
I love that feature from Square because it just makes it easier the next time you transact and you don't have to then put in another email address. And then you're just getting these receipts from all of the people that are using that point-of-sale system. When you were describing the re verification process in my mind, I was also thinking about authentication specifically around passwordless.
What's your take on the adoption curve of passwordless? It feels like there's more interest. But are we close? I mean, we've been talking about it for 10 + years, moving to a passwordless world.
Aaron Painter: I think we're getting closer, particularly on, uh, end user customer facing accounts, uh, which is great.
Although the challenge remains on enrollment and then recovery. And so passwordless MFA is fundamentally still MFA. And you're still fundamentally tied largely to an email address. And then typically some form of a device. But when you lose access to that device, you still need to know who's behind the screen.
And so we've seen passwordless MFA as an accelerator for our business where we're helping companies think about secure enrollment and secure recovery. And then we've also built a solution that can kind of fill in the middle because once a user again is enrolled, we can offer them an express re verification and really an express sign in experience, should that be appropriate for the scenario.
But again, we get really excited about passwordless MFA as creating, sadly, kind of more challenges and more need for efficient recovery and in some cases, efficient enrollment. I get excited when I see the changes on passwordless MFA. The only thing I get a little bit stuck on is it's not really passwordless.
You are essentially saving a password. You are still largely creating accounts where you have a password. And then in some sign-in experiences, you don't have to use that password. They keep the password because, again, when you switch devices, let's say you're on an iPhone and you go to your PC, you might still need that password to sign into the account.
Or at that time when you're trying to claim recovery, let's say to get back into but having that password, unfortunately, it's still the fundamental security weakness because passwords, as we all know, are compromised. They can be shared. There are a whole bunch of things go wrong with them.
And so passwordless MFA is a great convenience advance and has some security benefits in terms of authentication, but it has the same problems of MFA and not solving enrollment in recovery.
Yeah, and in the recovery stages, if you're going to use a biometric. One of the things that has come up a lot in conferences that I've attended and webinars that I've dialed into is this rise of synthetic media, generative media, and just how good the deepfake technology is getting and deepfakes aren't new, it's been around for a while, but now it's been democratized where anyone can go into a GitHub, download some code and they can create them.
How do you see this evolving and what's your thought on how you help force those in terms of, you know, liveness attacks, spoofing, injection, the camera.
How does that work with the Nametag?
Aaron Painter: I'd say the concern is real. I think one we're seeing an enormous amount of companies that are coming to us saying I have problem now and I need a different approach, you know, some of the voice authentication providers are some of the most at risk right now.
They are really in companies that are using them are getting very nervous. It was in recent reports. I think that, you know, up to 99% of voices can be recreated using synthetic technologies. It's a concern for the industry and sort of how we've so far adopted tools like that. We believe fundamentally that mobile phones and the technology in modern mobile phones is an incredible tool to defeat against these, these sort of approaches and attacks.
And architecturally, that is one of the things that makes Nametag very unique. We have built a model that is fully mobile first. Now, today when you go through a KYC flow, it is almost 100% a browser-based flow. Which means it exists desktop or mobile in a browser. The challenge with browsers is they are susceptible to manipulation.
They are susceptible to injecting things in a browser-based flow. They're also often limited, unfortunately, to the tools like a desktop webcam. And so, some of, many of the KYC tools, you could, not exactly today, but imagine, go to GPT and say, here's a photo of me, make me a California driver's license, save as PDF, upload into a KYC flow, and then, with some, hold up a photo, maybe some claim to have liveliness detection, and they try and, you know, a photo or video doesn't quite work, but it is an insecure flow.
It's sufficient for KYC regulatory approvals, it is not sufficient to prevent fraud.
And so by using a mobile phone, you end up with a very different approach because you get to have a cryptographic connection with a secure enclave in these devices. So not only are you not allowing an upload button of a document, but you're preventing against someone being able to inject digital manipulated files into an enrollment flow, which is a fundamentally different advance.
You also get incredibly fun platform features in these mobile phones to go use.
Things like the, you know, the FaceID or the 3D depth mapping camera, right? That is incredibly advanced in detecting three dimensionality and sort of human presence. You know, today, reCAPTCHA is sort of the best on the internet today of, is this person human?
Flashing a 3D depth map camera is a completely different level of advancement. And that's core and sort of fundamental in our flow. As is the Secure Enclave, as is able to use all the onboard advanced cameras, advanced GPU and processing in mobile phones. So we get higher quality capture. We have a bunch of very smart fraud algorithms and unique ML that we built in analyzing every step of that flow.
So it feels fast and snappy, basically a mobile app or using mobile technology natively, but it's also incredibly secure and it allows for this element of reusability.
Looking at Nametag’s founding timeline. It was 2020 that you started the company, is that right?
The middle of the pandemic. That's right.
The middle of the earliest pandemic.
Yeah. A brave new world. You're like, let's start a company. I'm thinking in 2020, some of the technologies that you're describing were just coming out and when I think about other providers in the ecosystem that have had longer 10 years, With their product stack, it can be challenging to re-platform, to create new SDK.
Did you go into building Nametag, seeing some of those technologies and saying, we got to use that, the, the, the cutting edge, the state of the art, like what was your, your product roadmap focus in those first months?
Aaron Painter: You know, very candidly, we were focused on privacy, we were focused on sharing, reusability, connecting government ID to auth.
And we still see an enormous market there. We thought we could actually use one of these sort of KYC providers as part of our flow. We thought they could be partners. “Hey, you know, we can buy someone else's KYC technology, do the ID, do the selfie, and then allow users to done it from there.”
And we found was that architecturally, the way that they did that was unfortunately just too old fashioned.
I mean, some of those providers, you know, are still largely manual. Which is sort of shocking they would send it to an outsourced team and somebody would try human error, a photo and an ID document. Some of the more modern players have said, ah, we'll apply, you know, AI or machine matching to do that.
So at least automated, which is great, but because it's browser based and because it's susceptible to digital manipulation, it wouldn't work for our use cases. And so that's what guided us to have to build sort of a fundamentally different approach. And then you bet we had a great time saying how do we use every modern tool in the security toolbox to build something that can be sort of a low friction and high security.
And that's what led us to, you know, the first to have sort of app clips or instant apps on Android and Apple, which are full native apps that are deployed over the air, registered with Apple, but give you the security functionality of a native app without needing to actually download the app as an end user.
Things like that were just super great advances that we for the first time brings the identity industry. And coupled with a lot of these other innovations that, that we had in mind and wanting to build, and we've been able to combine them all and bring them to market in a really compelling way.
It's great. It's a great progression from where you started to using some of these cutting edge pieces and the mobile ecosystem still evolves pretty rapidly, you know, iPhone has a healthy clip of new versions of it, form factors. They're always releasing new capabilities and features. So to be able to keep up with that can be pretty challenging.
And then when you zoom out at the global scale, the demographics of different regions vary, in one region, one country, Android might be the dominant versus maybe like in the US like Apple might be slightly higher percentage. For you and your career, as you've traveled around the world and you've lived in different countries and maybe speak different languages from the times you spent in those countries.
How has the travel and your global experience affected how you build this human identity platform having interacted with a lot of different types of humans and cultures?
Aaron Painter: it's a great question. Most of my last 20 years have been living outside the US. I had a goal, sort of, at one point in my life to visit a hundred countries. And I did that and then sort of stopped counting. And I love understanding new peoples and cultures and ways of doing business. I'd say one of the biggest learnings in this space in particular is, is identity is a global challenge.
And in some ways it is solved in the physical world to different degrees by different governments. Almost universally that experience has not smoothly carried over to the digital realm yet. And fraud is different in different markets, attitudes towards privacy are different. But there's this sort of fundamental core that humans want to be recognized, who they are, at certain times, right?
Sometimes you might want to be anonymous, or you want to make an anonymous comment in a forum. Again, I would argue the platform has responsibility to know who you are. But there are other times when your account is on the line, in our lives, we all have different things that matter to us in these different digital accounts.
Whether that's your bank account or your marketing automation platform or your internet domain, or maybe it's your social media account, if you're that's sort of a billion or social media influencer, we have different things that matter to us, but we should have the choice to make sure that we have high security protections on those, those accounts.
And today we don't really. The gold standard is to put MFA on them and MFA unfortunately has these vulnerabilities on the enrollment. And so identity is a global challenge and we have very much set out to solve it from a global perspective partly because the companies that we started working with in our early days very quickly said, “Hey, I have users all over the world. You can't just accept US ID types. I need to be able to accept ideas and documents from all over the world.”
And so from day one, we really look very quickly. I went to day one very quickly and we realized we had to build a global solution that would work in so many different markets and allow people and humans in all different parts of the world to contribute into their local or into the global digital economy, using some form of reusable identity.
And the physical world has changed so much in the last three years caused by the pandemic. Where it seems like almost every country now has some sort of digital nomad visa and you have a lot of Americans going out into other countries and living there for the first time and there's a lot of cross border commerce.
It's really interesting to think about identity as such an important human asset. Like it is who we are in the physical world and we've gotten better and better at it in the digital world. Over the last few years, we've also heard there's going to be this convergence, you know, phygital, like combining physical world and digital world in the metaverse.
And this was a big topic around this time last year with Facebook rebranding earlier in that year to Meta and then announcing all the great things they were building in Oculus. It didn't quite pan out. And even though Apple just came out with a Vision Pro announcement and that's going to release, I don't know if this world where we're all putting screens on our head and walking around and being concerned about now identities and physical, digital, and then a metaverse is going to happen on the timeline that some of these companies thought, what is your perspective on the metaverse piece connected to these topics?
Yeah, Meta’s in particular his angle on the metaverse it's a built community. And I believe that trusted communities know the members. And it is very hard to build a safe and trusting community if you don't know who authentically the humans are behind those avatars or virtual accounts. Because as we saw with some of the early metaverse platforms, maybe a little bit less meta, it has been harassment, has been bad things happening in these metaverse environments because everyone essentially was anonymous.
Or operate by a pseudonym. And that to me is not a successful roadmap for the future. In fact, that is a thing that we have done poorly in sort of a Web 2.0 social world. That bringing forward into a Web3 or metaverse-based environment would be a detriment to society. I believe we have to solve this issue of identity and get it right in order to create safe, healthy, constructive, internet, virtual, metaverse like experiences.
And the same thing I think goes for content creators. I believe that it is going to get increasingly difficult to know whether the content that's created is actually done by a person or which person or done by a machine. And therefore it is even more important to know the authenticity of the creator themselves.
So when a user posts content or when a user comments on content or in any way creates content, we should be verifying that they are a real person and the platform should take responsibility for knowing the real person behind it and allow them to operate under their real name or a pseudonym or whatever else.
I believe we have to verify the authenticity of creators if we're going to trust what is created and then lives in sort of the virtual realm.
I agree 100% as someone who's started to create more and more content. I've put enough video and audio out there that I'm easily deepfake-able. Please don't do that if you're listening, by the way.
And the platforms have tried to make strides. There's Meta Verified, Twitter released a blue checkmark program. But they're not as successful as I think they could be, perhaps not implemented in the way they should. And that's an area that before we jump into the metaverse, we should probably figure out that problem and get that right before we start allowing the creation of a bunch of different avatars and different levels.
I would submit that one of the reasons why they have not gotten it right is they have not gotten right the concept of re-verification. And so if you look at, you know, take Airbnb. Airbnb was very innovative in trying to get replicated in-person experience. You check into a hotel, give them your credit card, you give them your ID, they know it's you and they give you your room.
Airbnb said, great, let's do the same thing. At sign-up, let's check your ID and let's start putting your credit card. Great. The problem is you can be a member of Airbnb for years. You can give those credentials to other people, your credentials could be lost or stolen, and you operate with that verified profile essentially for eternity, right?
Or until maybe at some point they decide it's worth doing something different about it or re-challenging your restriction of who you are. And it's the same thing with bringing it into Twitter Verified. Telling me that I one time verified who I am, or on any social network you did a one-time identity check, and not having a way to re-verify who I am at some frequency, let alone in an ideal world every time I sign in.
To me, you are creating a false sense of security and that is, that is not going to help us build trust and safer digital interaction.
Just a snapshot in time, those accounts, those identities, those documents even become expired that you couldn't get on an airplane with them or open an account.
So why do you continue to hold on to that credential?
Well, we're, we're getting close to time here, Aaron. I have just a few final questions as we've been talking about the metaverse. I think about the future and what's on the horizon for you and Nametag. Is there anything that you could sneak preview share with us in your 2023 plan or the years ahead?
Yeah, we want to solve the biggest issue in security today, which is who is the person behind the screen. And we think that there's more and more opportunities to create an automated secure sort of experience that. Frankly, when you get rid of the tradeoff between security and usability, you can open up the value of a reusable identity and a whole bunch of new use cases that ultimately takes us closer to our mission of creating a safer and more trusted internet.
And so everything you'll see us do is sort of in that spirit of how do we take the fidelity of what we're doing to capture an enrollment, the reusability. So that you can get back into your account when you're locked out. You can sign up for new accounts. You can basically log into accounts, um, with this sense of authenticity and knowing who the person is.
So we're, we're very, very focused on solving this issue of identity as a, as a security risk and alleviating that risk to the user's accounts can be.
Now, if you've watched a few of these episodes and for the, the listeners who subscribed, one of the goals of this episode is to help people understand the person behind the LinkedIn profile, behind the press releases.
Besides founding and leading Nametag, the public speaking that you do, the book you wrote, and your continued thought leadership there, what are some of your hobbies here? Like, what do you spend, if you have any free time, what do you spend, what are causes that you spend time on?
I love travel, I love photography, I love learning about people and cultures, I love following news and information, particularly from around the world and different countries.
I'd say I'm, I'm fundamentally motivated on helping humans grow in their careers. And a lot of my time at Microsoft in particular was moving to new geographies and there was a business in back of doing that and broke through in a lot of new markets and like opened Microsoft in a lot of new places and countries around the world.
Fundamentally, the sort of legacy I was leaving in a humble way is helping to help share new things with the people that I'm working with and learning from them. And so this concept of helping people grow in their careers from learning other perspectives and through other experiences. That's really motivated me.
It's been what encouraged me to kind of keep going and living in new countries around the world, what encouraged me to sort of write that book and try and write some of those lessons down and sort of in on paper so that maybe others could learn from them or benefit from them.
And it's what inspires me every day at Nametag.
I love having the chance to work with our team members, to bring in new team members, to help them sort of learn and grow in their careers, ultimately towards making an impact on this sort of world of identity that we all live in.
That's so awesome. Thank you for sharing that. Aaron, we're just out of time here. The last question for you is what's the best way the audience can engage with you or Nametag? What sort of conversations would you like to arise out of this?
I'm a big LinkedIn, so please feel free to reach out on LinkedIn, sort of my probably primary platform. Love messages, love comments.
You'll see us trying to create a bunch of content, me personally, especially from Nametag, to try and contribute in this space. In the spirit of what you're trying to do with PEAK IDV all the time, we love your content. And then of course our website, getnametag.com. It's a good way to just learn more about what we're up to.
Thank you so much for the praise, Aaron. It helps fuel my mission when I know people are enjoying the content and reaching the 10,000 mark for experts in digital identity. I really enjoyed this conversation. I'd love to hear the story, your perspective on the market, and I look forward to seeing your continued success at Nametag.
Thank you so much, Aaron.